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NATIONAL SECURITY AGENCY 
CENTRAL SECURITY SERVICE 
OFFICE OF THE INSPECTOR GENERAL 



22 March 2019 


TO: DISTRIBUTION 



SUBJECT: (U//F QU 6j Report on the Review of the National Security Ageiicy/Ceiitral Security 
Service’s Deletion of Certain USA FREEDOM Act Data (ST-l 8-0008) - Special Study 


(U) Summary 

TTSTTSWNF^Following the discovery that the National Security Agency/Central Security Service 
(NSA) received inaccurate call detail records (CDRs) pursuant to the USA FREEDOM Act (UFA), 
and a subsequent request by two U.S. Senators for an independent review of certain aspects of 
NSA’s UFA program, including whether NSA’s deletion was sufficient to ensure that all 
inaccurate CDRs were deleted, the NSA Office of the Inspector General (OIG) conducted a limited 
scope study of NSA’s deletion of CDRs and data derived from those CDRs (hereafter collectively 
refeired to as “UFA data objects") ingest ed prior to 23 May 2018. ' The OIG generally found that 
NSA had been successful in deleting the l |U FA data objects derived from 

CDRs that it received from U.S. telecommunications service providers under the UFA program; 


however, we identifie dj / that should have been deleted, but 

were not based upon NSA’s mistaken assumptioiuggai^inujhe age*o*ff configurations for a single 
signals intelligence (SIGINT) repository | | * 'A% result, we make one 

recommendation to assist the Agency in stfengthening its controls in the event that a future UFA 


(b)(3)-P.L. 86-36 


(b) 

(b) 


( 1 ) 

(3)-P.L. 


86-36 


‘ (U) The OIG also coiuimics to consider gdditional controls associated with NSA's .UfA* program for possible future 

review, •. . * . * 

• . * • 

- (TS.VSl'.'I'JT) Beginning on 29 November 2015; llie UFA amendiiients to (lie Fpfeign Intelligence Surveillance Acl 
(FIS.^) provided a new nieclianism for the Govcmnieni to obtain orders’ for Uji^eted produciion of CDEts relating to 
authorized investigations to protect against iniernational.lerropsm. NSA staled that, on 30 November 2015, tlie 
Foreign Iniclligence Surveillance Conn (FISC) ap provcd.Utd First appiieatioii u nder the targeted CDR production 
provisions of UFA. I .* 


t 


Jco’iumimicaiions mcindaia is the dialing, routing. 


I 


addressnic. or signaTm^nTomiau^riissocIaietl \v iili cicciroiiic coninmincfllion events, rojinnunicaiions niciadaia 
doc5jio^^conlanHhe^£onicnl^^ofcornji<lmicalioiis^^^^^^ 
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(b) (1) 

(b)(3)-P.L. 86-36 


deletion is required, and one recommendation for the Agency to consider .\^l\ether it needs Q 

reissue or revise its notifications to the FISC and the Congress, as detailecf beloW. * ■« 

. * • . *» 

. * ’ . * • ' * 
(U) Background ♦* ■ _■ J 

* • ^ ^ 

(TSi^/SLWlF) NSA reported to the FISC, through jhe* Department qf Justice National Security* 

Division via a Rule 13(b) Disclosure of Nqiv-Cbmpliance notification, “Siipplemenicil Noilc(* 
Regarding Applicaiions of the Federal 'Bureau of Investigadon for Orders Requiring fhi* 
Production of Call De tail Records Jo'/he National Reciir/iv Avencv. Various Docket ^ wnhens.i 
dated 4 June 2 018. tliatP ^ Iandfa3m| 

approxim ately f" . •' [ 

provided inaccurate CDRs (caused by system errors) to NSA vdiile' 
res ponding to various docket numbers approved purs tiant to UFA. NSA fiirther stated that because .■ 
the | 1 ^- • identify the affected CDRs for SlSA f. 

due to legal restrictions, and because NSA had no way to independently detennine which CDRs ' 
contained inaccurate information, NSA did not have a viable way to remove affected UFA-data 
objects and retain unaffected UFA data objects. As a result, on 23 May 2018, NSA began deleting j 
from its SIGINT repositories all UFA data objects ingested prior to that date.-^ I . 1. 


_|On 

_ _ notified the OIU that all UFA data objects ingested prior to 23 May 2018 
had either been deleted or aged-off from NSA’s SIGINT repositories. Subsequently, the OIG 
conducted indepenclent verification testing from September through mid-October 2018, 

(U/iHF OUO) Prior to verification testing, the OIG obtained from NSA a list that it certified to be 
accurate and complete of all repositories (hereafter referred to as “declared SIGINT repositories”) 
that retained UFA data objects ingested prior to 23 May 2018. The OIG further obtained from 
NSA the actions it took to del.ete or age-off UFA data objects from the declared SIGINT 
repositories. It is important to note that the OIG does not have the capability to search NSA 
systems to independently verify that*the NSA-declared SIGINT repositories are the only systems 
that retain UFA data objects. If NSX-were to retain UFA data objects outside of the declared 
SIGINT repositories (e.g., shared directories accessible by trained and authorized NSA personnel), 

the OIG would have no way to detect that cTafa,^ As a result, the OIG focused its review only on 

• 

« 

’ (TDA'0L')T ‘ ir) NSA slated that, as atidiorized. it retained UFA data objects ingested prior lo 2.3 May 2018 that support 
disseniinaied NSA SIGINT product reports. In a Rule 13(b) Disclosure of Non-Compliance iiolification filed with 


the FISC on 4 June 2018. NSA stated that it had detenuined that infoniiaiion in one rcoon 


ieved to contain inacaimie infonnsuon from CDRs 


into repon 


of data tortile recaiiea report. .Ljisily, 

(includes the reissued report disciisSed above) 


•' (U/ ; f OU &) On 5 September 2018, NSA issu^ a‘fiotic^ 16 -analysts- (jnd technical personnel tilled. '‘YouJ- 
Rexponsihilily/or the DeU’iioii of Tide V. USA FREEDOM AciTSafat".}^ A pefs9ime\ weteljisVi'cied to review ilioir 
personal files and working papers for. UFA data objects ingested prior to i.VMiiy 7048, 'if UFA data objects 



• * «• 
• I 



(b) (1) 

(b)(3)-P.L. 86-36 
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the NSA-declared SIGINT repositories. For the declared SIGINT repositories, the OIG requested 
and obtained system-generated reports from September 2018 that documented either all UFA data 
objects retained in those repositories or the presence of UFA data objects ingested prior to 
23 May 2018. r— j I 


(U) Results 


(b) (1) 

(b)(3)-P.L. 86-36 


Based on the OIG’s review of s^tem reoorts obtained for the 



Subsequently, the QIG requested and!_I based on the results of a 


system search, cohtinned that th d » l had been deleted from i | 

« • • 

(T0//0I/iT ‘ ir) .The NSA Office of Counterterrorism, In coor dinati on with the Office of general 
^ounsel_^GC), Office of Compliance forICapabilities, and | I detennined that the remaining 
"[ data objects that support dissenjinated NSA SIGINT pcoducf,reports should remain in 
Kt o ensure that NSA maintains the ^urce information forthipse r^orts. At that time, NSA 
had not yet notified the FISC that it had completed the deletion of all UFA data objects ingested 
prior to 23 Nfay.2018 in respons e to an eas ier compliance problem.^ Therefore, OGC concluded 
that NSA’s delay'in.deleting the l I data objects was not a new compliance violation. 

’ ; 

^ ■ G//0L')T * ir) ’ Subsequently, on 25 October 2018, NSA reported to the FISC via a Rule 13(b) 
Disclosure of Non-Compllaric§ notification, "Final Notice Regarding ^ppijcalions of the Federal 
Bureau of Investigation for Orders Reqi/irhig the Production of Ciill Detail Records'^ to the 
Nalio)ial Security Agency, Various 'Docket Numbersf that, on 22 Augnst 2018, NSA confirmed 

- .. • . . 

found. NSA personnel were inslnicted to iinuicdiatcly delete tlie data. The only allowable exception was for UFA 
data objects that support disseminated NSA SIGINT prodai^t reports. TIte Agency did not.require analysts or tecluiical 
personnel to report wliether UFA data objects were siibsequdntly detected and deleted, so tllere is no data trail for the 
OIG 10 audit how much data was detected and deleted asaresiiftofNSA’s insinictiou orbtlierwise. 



(U) During"tills limited scope study, the OIG did not review the timeliness of NSA.iiotifications sent io"external 
overseers. The OIG is currently performing a separate study that will generally assess NSA’'s incident manligemeni 
and reporting comrols. ■ 

-I (b)(3)-P.L. 86-36 
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the deletion of UFA data objects ingested prior to 23 May 2018. NSA further stated that after 
deleting the UFA data objects, it conducted additional e xaminations ofNSA repositories and found 
a small number of “CDR remnants” (referring to the | data objects that the OIG had 

discovered) in one system, which included some CD^ erived data fi elds but not the entire CDRs. 
NSA stated that the CDR renmants were deleted on | • ^ Separately, on 28 December 

2018, NSA sent Congressional Notifications, ‘'Update Regardhtg the National Secnriiy Agency's 
(NSA) Deletion o/Ca// to the House P^manent SeleCt Committee on Intelligence 
(HPSCI) and Senate Select Committee on Intelligeppe (SSCI) to'iiotify them of the OIG’s 
discovery and NSA’s deletion of a small number of “C DR remnants’- in o ne system that should 
ha ve been included i n the original deletion completed ot j ‘ | and were later deleted 

on | ^ In both the notifications to the FiSC and to the HPill and SSCI, the NSA 

stated that CDR remnants were in data fields that “are ifot seen or used by die analyst community, 

but are used for tracking'and management purposes.” • • ■ 

* * ■ * 
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; ST-18-0008 



*• 

(U//POUO) Determine whether the Rule 13(b) notification, issued 25 October 2018, and 
the Congressional Notifications, issued 28 December 2018^ should be reissued or 
revised to clarify statements regarding CDR remnants. !; 


LEAD ACTION: D2 
SECONDARY ACTIOnI : 


(U) Management Response 

(U) AGREE The action requested by the subject recommendation has already been completed. 

(U// P6U Q^ Notifications issued to the FISC are written and coordinated by the Department of 
Justice’s National Security Division and written notifications to various committees of the 
Congress are coordinated by the Agency’s Legislative, State, and Local Affairs (P3). Such 
records are not reissued or revised. Supplemental infonnation, clarifications, and corrections to 
such records are routinely provided through formal and infonnation Executive Branch 
engagements with the FISC and Congress, to the extent otherwise necessary to facilitate 
oversight of NSA intelligence activities within the relevant jurisdictions of these separate 
branches of Government. 




(U) OIG Comment ;• 

• 

(U) The planned action meets the intent of the recommendation. This recommendation has be|n' 
closed. 


(b) (1) 

(b)(3)-P.L. 86-36 
(b> (5) 
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(b) (3)-P.L. 86-36 



(U// r0U0 ^ update applicable procedures so that, regardless ofwQat corporate process 
NSA uses to delete data in response to a future UFA compliancy and/or policy issue, 
they are sufficient to ensure that the Agency confirms, by reviewing system generated 
reports, that all UFA data has been deleted from NSA SIGINT repositories. Furthermore, 
the procedures should include a requirement that, when age-off mechanisms are relied 
on to delete that UFA data, NSA will confirm the age-off configurations and review 
system-generated reports to confirm that all UFA data objects arem ot retrievable. 


LEAD ACTION 
SECONDARY ACTION| 


(U) Management Response 


(U//pewD agreeF 


(U) OIG Comment 

(U) The planned action meets the intent of the recommendation. 


(b)(3)-P.L. 86-36 
(b) (5) 


(U) In accordance with NSA/CSS Policy \-(>Q,NSA/CSS Office of the Inspector General, 24 March 
2016, and IG-11925-18, Follow-up Procedures for OIG Final Report Recommendations, 1 August 
2018, actions on OIG recommendations are subject to monitoring and follow-up until completion. 
To request that a recommendation be closed, please provide sufficient evidence to show that 
actions have been taken that fiilly comply with the recommendation. If you believe an action to 
be overtaken by events (OBE) and no longer applicable, please provide a justification and 
evidence. If a planned action will not be completed by the original target completion date 
identified in the report, please provide the reason for the delay and forward a revised target 
completion date to the OIG. All requests related to recommendation closure, including those 
recommendations believed to be OBE, should be submitted to Follow-up Program Manager, at DL 
Dl^Followup (ALIAS) Dl. 


TOP g ECnET//SI/fffOrORN - 
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(U) Further, each tasked Directorate should add recommendations listed in this report to its existing 
OIG open recommendations for inclusion in the bimonthly updates to the OIG, which are due I 
January, 1 March, I May. I July, I September, and I November. A separate action will be sent 
for the 1 March and I September bimonthly updates in advance of the release of the OlG’s Semi- 
Annual Report to Congress. 


(U/iTOUO) We appreciate the courtesy and cooperation extended to the evaluators throughout 
thcj|evicWj_^o£mJditioi^l information, please contact 
all 


on 963-0922(s) or via e-mail 


(b)(3)-P.L. 86-36 



ROBERT P. STORCH 
Inspector General 


(U) This report might not be releasable under the Freedom of Information Act or other 
statutes and regulations. Consult the NSA/CSS Inspector General Counsel before releasing 

or posting all or part of this report. 


iop«EcncT//n[j'/i »i orQRN 

NSA FOIA CasJl05767 Page 075 




Doc ID: 6672881 


TOP OCCRCT//SI//NOronN 


ST-18-0008 


(UA^P OUO ^ DISTRIBUTION: 

DIRNSA 
D/DIR 
EX/DIR 

Q a .. ......* 

J. Darbv l lu. Laili^ . • [ T. •. 


(b) (3)-P.L. 86- 




. G. Smithbc Hiefl 
D2 :.G.‘Gcrstcl l| iT, Anthon^T 

r~fj. Mulligan' *“ 






(U/ /rOUQ) cc: 

D2: P. Moirisl 


\ 


D5: R. Richard 


S 

> 

«■ 


P7: P. RcynoCT 


S 

*$ 

•» 

s 


■oGr_ 

HPSCT 

SSCl 

IG 

D/iG 

D.r 

Dl^ 

D12 

DL’ 

D14 



1 
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(U) APPENDIX A: MANAGEMENT RESPONSES 


NSA/CSS OFFICE OF THE INSPECTOR GENERAL 
MANAGEMENT RESPONSE FORM 


MEMORANDUM 


TO: OlllcL ofllic liispccior Cicncnil (OKi) 

FROM: onicc of Genera I Counsel. Operationnl Auihoriiics Prnciiee (iroiip (1)21) 

DATE: 12 Mnicli 2010 

SlUMECT: (IJ/iiWiJWtt.) S1-18-0008 - Special Slmly- Draft Report on ihe Review ol NSACSS s 
Deletion ofCerlain USA FRIiDOM Act ITala. 


(U/>W>JO) I Itis memonimlom provides the NSA/CSS OKi res(K>nsc to llic subject draft report. 

{U//rOUO) IG Rcconiniciidiitifln t: (U/A'OIJG)^ Determine wlicdtcr the Rule I.Mb) iiotiricalioii. issued 
25 Ocloher 2018. and the Congressional Notifications, issued 28 December 2018. should be reissued or 
revised to clarify .siaienicnts regarding CDR rcninanis. 

(I Agree X tir Di.sagree_ 

{U//i*©W^^Tiiiget Completion Date: N/A 

(U//littUtt) Coordtiiated with Secomlar>' Actionec(s): Yes_No X 

(U//l*©©©^Sccondnry Aclioncc POC: N/A 

(U//l 'OUe ^ Date of Coordination: N/A 

(U/y1*OWO) Mnmtgcmcnt's Comments: 

• (U//f’OUO) ilK action rcqiicsicd by the .subject recommendation lias already been 
conipleled. 

• (U// FOUO) Noiincaiions issued to the Foreign Imelligcnec Surveillance Court (l-ISC) 
are written and coordinated by the Department of Justice's National Security Division 
ant! written nolifieaiions to various committees of the Congress aic cotrrtlinnlcd by the 
Agency's Legislative. Slate, and Local Affairs (P3). Such records are not reissued or 
revised. Supplemental informalion. clarifications, and correetions to such records arc 
routinely provided through ftronal and infonnal E.veculivc Druuch engagements with the 
FISC anil Congress, to the extent otherwise necessarv" to facilitate ov ersight ofNSA 
intelligence activities within the relevant Jurisdictions of these separate brandies of 
Cioverinncni. 



(b) (1) 

(b)(3)-P.L. 86-36 


CKissilied 

l).‘nvucl fK.iti. NSa-ZeSSM l.'s? 
Datoil 

D-iiassify On ■‘Cl ) lOllI U 


(b)(3)-P.L. 86-36 
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NSA/CSS OFFICE OF THE INSPECI OR GENERAL 

mana(;ement rf^sponse form 


MEMORANDUM 


TO: Onicc of the InsjweiorGcncral(OIG) 


FROM: 



(b)(3)-P.L. 86-36 


DATE: 11 March 2019 


SUB.JKC1: UFA IX'letc Repon, S I 18-0008 


(U'-fOLKililThis iiicmorandum prin-idcsiheNSA/CSS OJG rcspoii|(^lollicsubject dral'l report. • 
Ki Rccotumcii(li>tion2: 

• * , . • 

(U//reU9i) Update applicable proccd«ws^5o that. rcj 2 ardl<;^$a)f uliat corporate process NSA uses 
to delete data in response to Itiiiirc UFA eonipliiiucc and/or |1olicy issues. the>' arc siil'llcient to 
ensure that the Agency confirms. l^Vavicwing review sy^iCQi-gcneraicd reports, that all Ui'A ■ 
data has bccit dclcicd from NSA.SKjfNT repositories, l•l^rtllc^norc. the iwocccliire.s sltoiild 
ineliitlea requirement that, when agc-olVmcchanismsar<frcGedoii to delete that UI'A data. NSA 
will conllrm the agc-oRconfigurotions .and review s>steni-t«;ncr.aied rc(Kins to coiinnn that all 
UI'A cliiia objects iir(^iiou«lric3.’ablc- * | 

LEAD ACTION: ! ' T ’ ♦ 

Sccoiidni'v Action! I * * 


(U//rOt?©) Agree X or Disagree_ * * 

• • 

(U//P©ee)Target Completion Dale: 09/30/2019 • 

w * 

(U//KDU©) Coordinated with .Secondary Aclionce^n): Yes X No 


{U//rOUO) lVIanagcmenfs_Conunon^ 
(U//r©H©)[ 




havecoordin.atcd their res])Oiiseon this 
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UNCLASSiFiED// ron orr i c i AL use 


(b)(3)-P.L. 86-36 


■f" 


(U// rouo ) 


(Tw 




£ 




a 


(U/' r(3lJO) Lend Actioi^ 
procedures revicw.r 
the event ol a future cleleiiou. 

(U//l'OUO) Additional Comments -I 


Jvvill eiHifdinaie the ^ ■ 
fvill lead the verilkulion iif ‘ 

• 

i; ■ 



(U// rOUO) Thiiiik you l\«-the opportunity to re view and respond to i)ic OIG drni'i l epori. Il'vmi liavc ’ 
ruilhcr ciiicstions or eoneems. please contact ihc| 

992-5053. ' 


(b) (3)-P.L. 86-36 
(b) (6) 

Director of Opcratioii-s. NSA/CSS ' 


J'O'N'AUlAKL.DA'kHV 


UMCLASSiFiHV /roiiorr i c i riL uoi. ontj 
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UNCLASSIFlED/ /r o n ornC I AL UOC OM t¥- 

NSA/CSS OFKICK OF THE INSPECTOk GENERAL 
MANAGEMENT RESPONSE FORM 

MEMORANDUM 

TO; Ofllce of the Inspector General (OIG) 

FROM: I 

DA'I'E: 11 March 2019 

« 

SUBJECT; UFA Delete Report. S1-I8-OOOR 


(U//rOUO) This niemorandtim provides the NSA/CSS OIG response to the subject draft report. 


(U//l*©W0j IG Rccommcridaiion 2: • 

• 

(U//K3UO) Update applicable procedures so that, regardless of \<^ai corporate process NSA uses 
to delete data in response to future Ul-A compliance and/or policy issues, they are sufneient to 
ensure that the Agency confirms, by reviewing review sysicm-gcneralcd reports, that all UTA 
data has been deleted from NSA SKilN I repositories, l-urihcrmore, the procedures should 
include a requirement that, when agC'Ofr mechanisms are relied on lu delete that UI'A data, NSA 
will confirm the agc>ofTconfigureiions and review sysicimgcncraicd repb/is to conflnn that all 
U I-A data objects arcnolrctricvablc. • 

LEAD ACl lON^ | 

Secondary Action ^ | ' *.. 


(b) (3)-P.L. 86-36 


(U/jt‘01JQl Agree X or Disagree_ 

(U// roU » ) Target Completion Date: 09/30/2019 

{U//r©W©) Coordinated with Secondary Aclionec(s): VeS X No 


(U//riI5U@) l\1anagciii£nEs^«>iiinjcnlsj^^_^^^ * • ■ 

{U/i‘EOUO)| I have coordinated their response on this * 

action. 


(U//h^ tj iQjf 



UNCLAStill II ij/,twaa^.i 


TOP S ECnET//Ot//NOrOR fr 
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TOP 3ECRET//ai//P<OrOR?( 


UNCIASSIFIED/Aon OrriGtftl UCC Of^LV 



(U//t*@UO^ Thank you for the opportunity to review and respond to theOIG draft-reporl. If you have 
further questions or concerns, please contact the Capabilities Leadership Support gervices. r 
992-5053. 


(b) (3)-P.L. 86-36 


X I ^ 

Greaorvi- Smitnbc'ae' 


(b) (6) 


Iff 1^1 II "i i 1 "‘I 'V 'f 
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